Interview: Josh Corman, CTO of Sonatype

Thanks everyone for joining us on The Security Influencers Channel. We're hosting brief and highly informative interviews with influential security leaders. Today we're joined by my friend, Josh Corman. Josh is currently the CTO at Sonatype. He's the co-founder of Rugged Software. He's the co-founder of I Am The Cavalry and he is a very highly coveted speaker.

Previously Josh worked in security at Akamai, where he was hired to build and run a new team called Security Intelligence. The team was put together to do research, analysis, thought leadership, work closely with high risk organizations and drive actionable intelligence into the public sector, government, and critical infrastructure. Josh also lead the Enterprise Security Practice for The 451 Group and IBM's internet security division.

In this interview, we discuss what Josh thinks about security's place in the "Internet of Things." Josh shares his opinion on what is needed from the security industry to shape the dialogue for the average person on how important security is becoming in our daily lives. I ask Josh what is going on with the "Rugged Software Movement" and if it is accomplishing what it set out to do. Josh's passion for "I am the Cavalry," his latest endeavor, is evident and extremely important, so we spend a little time discussing what it is and how it is influencing our lives. We wrap up with a few security predictions from Josh on what he thinks 2015 has in store.

The following is a brief excerpt of our interview:

Jeff Williams: I just watched a TED event where you gave a talk titled "Swimming With the Sharks: Security in the Internet of Things," and you were talking about a recent shark dive you did. What's going with "IOT?" Why is it so dangerous?

Josh Corman: I went shark diving with a friend of mine, who goes all of the time. One of the things my boss said to me at the time was, "What kind of an idiot gets in the water with an apex predator?" and thought my risk-reward math was really bad. So he politely decided not to come. While I was doing it, there was a kind of personal experience of swimming with apex predators and seeing masters in their domain and that we were really outgunned; it kind of really framed well for me and caused me to reboot and rewire my talk for the TEDx.

What I realized, when I got back to shore, was I looked at my computer on wheels, my brand new car, and I said, "We too are swimming in a sea of the "Internet of Things," and we too have apex predators." The difference with the shark dive and the "Internet of Things" is that in the shark dive if you're afraid of sharks you can stay on dry land, or if things get to hairy or there's too many sharks swarming you can get back to that safety. What I realized was that in the Internet of everything we were quickly running out of dry land, so it became an apt metaphor for kind of framing our increased dependence on connected technology in areas that affect public safety and human life.

Jeff Williams: So, I'm curious, was your scuba tank hooked up to a network?

Josh Corman: [Laughs] No. We're going to have software and connectivity in everything. It's the bacon principle, right? Everything's better with bacon. Everything's better with Bluetooth.

Jeff Williams: It really is. Are all of your talks about apex predators? I mean, I thought zombies were apex predators.

Josh Corman: Now that you and I have known each other for long enough time, the power of story and metaphor really help people reframe things because, you know, security people and security architects, and thinkers, and problem solvers, we've come up with a lot of technical solutions, but I think one of our big failures is that while we have a lot of technical supply in the cyber world, we don't have a lot of demand. Until we can capture hearts and minds of both developers, their bosses and management chains, and I guess this year's revelation was we also need to capture the hearts and minds of consumers in the market.

Until there's a real recognition that we are taking risks, and we are surrounded by apex predators, we're unlikely to see the incentive structures change. I think metaphors become a good way that anyone from a congressmen to my neighbor to my mother-in-law can start to realize some of the risks incurred by putting web browsers into vehicles.

Jeff Williams: I think you're right about the stories and the power of metaphor. Your talk on zombie auditors is one that sticks with you, right? It frames up the problems perfectly, so I really enjoyed that. Towards the end of the talk you brought up the concept of "rugged software," and that's something that both you and I worked on and that I think is very interesting approach, so how do you view the state of rugged software movement? What's going on there?

Josh Corman: So, I think rugged aimed to have a very modest focus on values and demand. I don't think we ever called it this when we were first writing it, but I referred to it as almost a Hippocratic Oath for people who write digital infrastructure, the architects and developers, some sort of value in which they do their craft. I think originally it was aimed to create a little bit more demand and realize that if you're writing digital infrastructure, especially in places that can affect safety, that you had a higher calling than just a day job. I think it was directionally correct.

We had that Rugged Summit where we locked a whole bunch of really smart folks in a room in a hotel for a week and came out with the implementation guide and handbook. I really like what people like James Wickett have done and run with it to make it more directly applicable to engineers. Where I've gone is I look at it as directionally correct and a partial truth, but my heart kind of realized that until we were talking about the context within which that digital infrastructure is used we would have limited success, much like OWASP. You know, a lot of supply but not enough adoption and demand yet.

Ultimately, if a developer gets religion and wants to do a better job sanitizing input and start avoiding cross side scripting and SQL injection they still are bonused and incentivized to ship features on time and on budget. What you've seen is one of the reasons we've had to start the I am The Cavalry movement was to make it really clear to the policy makers and consumers that we're starting to put software in places where it was not designed and was not merited to handle adversaries or accidents and adversaries that can cause some really bad consequences.

Jeff Williams: So you went beyond rugged, and you've started I am The Cavalry. What's going on there?

Josh Corman: So, right around DEF CON 21 we took a bunch of, it was Nick Percoco and myself, but took a bunch of parents and concerned citizens who had been quietly behind the scenes trying to work to inform government and intelligence community folks of some growing concerns. I researched Anonymous and espionage and things about national security, and we kept naively believing that if we got high and deep enough in the government and we got the right message to the right person in power they would fix it. That was cute, but it took many years to get the credibility and the access, but ultimately a cadre of us got as high and deep as we could, some pretty A-list hardcore, dedicated altruistic researchers, and what we found was even the people in power weren't aware of the problem or didn't feel empowered to do anything about it.

After much drinking at the bar one night after being at Fort Meade, a few of us said, "The calvary isn't coming, and that means it falls to us. Not that we're better or even up to the challenge, but these people don't know much about stem cell research or fracking or other highly technical fields, and who else but us can be that voice of reason and technical literacy?" We made a choice and asked the rest of the research community to declare that we would be part of the solution and we'd at least try. We'd fail fast at any rate. We essentially just changed from being inside the echo chamber to being more of an ambassador. To meet people at their level in government, in insurance, in industry, especially where things can affect public safety and human life.

We started four projects, automotive security, medical device security, connected home security, and public infrastructure, and we decided to make a chain of influence for each and work with the various regulatory bodies, government executive branch, legislators, lawyers, find willing parties and took an approach of collecting, connecting, collaborating, and catalyzing to try to see if we could usher in safer outcomes sooner.

To learn more about "I Am The Calvary" and hear the rest of my interview with Josh, click here.